CLAIMS 



1 . A method of limiting unauthorized network requests, comprising the steps of: 
5 identifying entities legitimately entitled to service; 

establishing said identified entities as trusted entities; 

processing requests from said trusted entities according to a first policy; and 

processing remaining requests according to at least a second policy. 

10 2. The method of Claim 1 , wherein an entity comprises a user ID/client pair. 

3. The method of Claim 2, wherein said client comprises any of: 
an instance of a client software application; and 

a machine running a client software application. 

15 

4. The method of Claim 2, wherein entities legitimately entitled to service 
comprise entities previously able to successfully authenticate to a network service. 

5. The method of Claim 4, wherein said network service comprises a server. 

20 

6. The method of Claim 4/ wherein establishing said identified entities as trusted 
entities comprises the step of: 

issuing a trust token for each entity successfully authenticating to said 
network service. 

25 
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7. The method of Claim 6, wherein said trust token comprises a data object. 

8. Method of claim 7, said data object including: 
said user ID or a derivative thereof. 

9. The method of Claim 8, wherein said derivative comprises a cryptographic 
hash of the user ID. 

10. The method of Claim 8, wherein said data object further includes any of: 

a time stamp of first authentication to said network service by said entity; and 
a time stamp of a most recent authentication to said network service by said 

entity. 

1 1 . The method of Claim 8, said data object including a client identifier. 

1 2. The method of Claim 1 1 , said client identifier comprising any of: 
a client identifier assigned by said network service; and 

a client identifier provided by the client. 

13. The method of Claim 7, further comprising a step of encrypting said trust 
token. 

14. The method of Claim 13, further comprising the step of: 

transmitting said trust token from said network service to said client upon 
successful authentication to said network service by said entity. 
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15. The method of Claim 14, wherein said step of transmitting said trust token 
occurs via a secure channel. 

16. The method of Claim 15, wherein said secure channel comprises a network 
5 connection secured via the SSL (secure sockets layer) protocol. 

17. The method of Claim 7, further comprising the step of: 
storing said issued trust token on said client. 

10 18. The method of Claim 1 7, further comprising the step of: 

transmitting said stored issued trust token along with said user ID, 
authentication credentials, and client identifier from said client to said network 
service. 

15 19. The method of Claim 18, wherein said step of transmitting said stored, issued 
trust token occurs via a secured channel. 

20. The method of Claim 19, wherein said secured channel comprises a network 
connection secured via the SSL (secure sockets layer) protocol. 

20 

21. The method of Claim 12, further comprising a step of storing said issued trust 
token in a server side database, indexed according to a combination of user ID and 
client identifier. 
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22. The method of Claim 21, further comprising the step of: 

transmitting said client identifier assigned by said network service from said 
network service to said client upon successful authentication to said network service 
by said entity. 

23. The method of Claim 22, wherein said step of transmitting said client identifier 
assigned by said network service occurs via a secure channel. 



24. The method of Claim 22, said secure channel comprising a network 
10 connection secured via the SSL (secure sockets layer) protocol. 

25. The method of Claim 21 , further comprising the steps of: 
transmitting said user ID and client identifier to said server; and 
retrieving said stored trust token from said database. 

15 

26. The method of Claim 21 , wherein said server side database serves a plurality 
of services. 



27. The method of Claim 2, wherein processing requests from said trusted entities 
20 according to a first policy comprises the steps of: 

validating said trust token; and 

processing request without adding incremental response latency. 

28. The method of Claim 27, wherein said step of validating said trust token 
25 comprises the step of: 
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verifying that the user ID and a client identifier in the trust token match those 
presented by the client on the request. 

29. The method of Claim 28, wherein said step of validating said trust token 
5 further comprises any of the steps of: 

verifying that a time stamp of a first authentication by the entity recorded in 
the trust token is no earlier than a configurable earliest acceptable first- 
authentication time stamp; and 

verifying that a time stamp of a last authentication by the entity recorded in the 
10 trust token is no earlier than a configurable earliest acceptable last-authentication 
time stamp. 

30. The method of Claim 2, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 

15 response latency when processing untrusted logins. 

31. The method of Claim 30, wherein untrusted logins include successful and 
unsuccessful logins from entities not bearing a trust token. 

20 32. The method of Claim 31, wherein response latency is added to a configurable 
percentage of successful untrusted logins. 

33. The method of Claim 2, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 
25 response latency when processing requests from untrusted IP addresses that have 
exceeded a configurable login rate. 
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34. The method of Claim 2, wherein processing remaining requests according to 
at least a second policy comprises requiring an untrusted entity to complete a Turing 
test. 

5 35. The method of Claim 1 , wherein said policies are applied by a server. 

36. The method of Claim 35, wherein said server applies rate policies for a 
plurality of network devices. 

10 37. The method of Claim 6, further comprising the step of: 
updating said trust token after a login by a trusted entity. 

38. A computer program product comprising computer readable code means 
embodied on a tangible medium, said computer readable code means comprising 
code for performing a method of limiting unauthorized network requests, said method 
comprising the steps of: 

identifying entities legitimately entitled to service; 
establishing said identified entities as trusted entities; 

processing requests from said trusted entities according to a first policy; and 
processing remaining requests according to at least a second policy. 

39. The method of Claim 38, wherein an entity comprises a user ID/client pair. 

40. The method of Claim 39, wherein said client comprises any of: 
25 an instance of a client software application; and 

a machine running a client software application. 
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41. The method of Claim 40, wherein entities legitimately entitled to service 
comprise entities able to successfully authenticate to a network service. 

5 42. The method of Claim 41 , wherein said network service comprises a server. 

43. The method of Claim 41, wherein establishing said identified entities as 
trusted entities comprises the step of: 

issuing a trust token for each entity successfully authenticating to said 
10 network service. 

44. The method of Claim 43, wherein said trust token comprises a data object. 

45. The method of Claim 44, said data object including: 
15 said user ID or a derivative thereof. 

46. The method of Claim 45, wherein said derivative comprises a cryptographic 
hash of the user ID. 

20 47. The method of Claim 45, wherein said data object further includes any of: 

a time stamp of first authentication to said network service by said entity; and 
a time stamp of a most recent authentication to said network service by said 

entity. 

25 48. The method of Claim 47, said data object including a client identifier. 
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49. The method of Claim 48, said client identifier comprising any of: 
a client identifier assigned by said network service; and 
a client identifier provided by the client. 

5 50. The method of Claim 45, further comprising the step of: 
encrypting said trust token. 

51 . The method of Claim 50, further comprising a step of: 

transmitting said trust token from said network service to said client upon 
10 successful authentication to said network service by said entity. 

52. The method of Claim 51 , wherein said the step of: 
transmitting said trust token occurs via a secure channel. 

15 53. The method of Claim 52,' wherein said secure channel comprises a network 
connection secured via the SSL (secure sockets layer) protocol. 

54. The method of Claim 49, further comprising the step of: 
storing said issued trust token on said client. 

20 

55. The method of Claim 54, further comprising the step of: 

transmitting said stored issued trust token along with said user ID, 
authentication credentials, and client identifier from said client to said network 
service. 

25 
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56. The method of Claim 55, wherein said step of transmitting said stored, issued 
trust token occurs via a secured channel. 

57. The method of Claim 56, wherein said secured channel comprises a network 
5 connection secured via the SSL (secure sockets layer) protocol. 

58. The method of Claim 50, further comprising the step of: 

storing said issued trust token in a server side database, indexed according to 
a combination of user ID and client identifier. 

10 

59. The method of Claim 58, further comprising the step of: 

transmitting said client identifier assigned by said network service from said 
network service to said client upon successful authentication to said network service 
by said entity. 

15 

60. The method of Claim 59, wherein said step of transmitting said client identifier 
assigned by said network service occurs via a secure channel. 

61. The method of Claim 59, said secure channel comprising a network 
20 connection secured via the SSL (secure sockets layer) protocol. 

62. The method of Claim 58, further comprising the steps of: 
transmitting said user ID and client identifier to said server; and 
retrieving said stored trust token from said database. 

25 
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63. The method of Claim 58, wherein said server side database serves a plurality 
of services. 

64. The method of Claim 40, wherein processing requests from said trusted 
5 entities according to a first policy comprises the steps of: 

validating said trust token; and 

processing without adding incremental response latency. 

65. The method of Claim 64, wherein said step of validating said trust token 
10 comprises the step of: 

verifying that the user ID and a client identifier in the trust token match those 
presented by the client on the request. 

66. The method of Claim 65, wherein said step of validating said trust token 
1 5 further comprises any of the steps of: 

verifying that a time stamp of a first authentication by the entity recorded in 
the trust token is no earlier than a configurable earliest acceptable first- 
authentication time stamp; and 

verifying that a time stamp of a last authentication by the entity recorded in the 
20 trust token is no earlier than a configurable earliest acceptable last-authentication 
time stamp. 

67. The method of Claim 40, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 

25 response latency when processing untrusted logins. 
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68. The method of Claim 67, wherein untrusted logins include successful and 
unsuccessful logins. 



69. The method of Claim 68, wherein response latency is added to a configurable 
5 percentage of successful logins. 

70. The method of Claim 40, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 
response latency when processing requests from IP addresses that have exceeded 

10 a configurable login rate. 

71 . The method of Claim 40, wherein processing remaining requests according to 
at least a second policy comprises requiring an untrusted entity to complete a Turing 
test. 

15 

72. The method of Claim 39, wherein said policies are applied by a server. 

73. The method of Claim 72, wherein said server applies rate policies for a 
plurality of network devices. 

20 

74. The method of Claim 44; further comprising the step of: 
updating said trust token after a login by a trusted entity. 

25 
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75. A method of establishing an entity requesting a network service as trusted, 
comprising the steps of: 

for each successful authentication, adding or updating a database record 
containing at least a user identifier, an originating network address and a 
5 date/timestamp of first and/or the current successful authentication; 

comparing all subsequent authentication requests to said record; and 
where the user identifier of a subsequent request matches that of a successful 
authentication, extending trust to the subsequent request if its originating network 
address and timestamp information satisfy predetermined criteria in relation to said 
10 record. 

76. The method of Claim 75, wherein said step of adding or updating a database 
record comprises either of the steps of: 

creating a new record by said network service if an entity has not previously 
15 authenticated to said network service; and 

updating a previously created record for subsequent authentication requests 
from said entity. 

77. The method of Claim 75, wherein a network address comprises an IP (internet 
20 protocol) address. 

78. The method of Claim 75, wherein the step of extending trust to the 
subsequent request comprises: 

extending trust if the user identification and originating network address match 
25 those of the record exactly, and wherein the data/timestamps from the record satisfy 
configurable bounds checks. 
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79. The method of Claim 7.5, wherein the step of extending trust to the 
subsequent request comprises: 

when the user identifier of the subsequent request matches that of a record, 
5 determining a trusted address range for the user identifier from stored authentication 
records. 

80. The method of Claim 79, wherein the step of extending trust to the 
subsequent request further comprises: 

10 if the originating address of the subsequent request falls within the trusted 

address range, and 

determining if the data/timestamps for the trusted address range satisfy 
configurable bounds checks. 

15 81. The method of Claim 79, wherein the step of determining if the 

data/timestamps for the trusted address range satisfy configurable bounds checks 

comprises the steps of: 

establishing earliest date/timestamp for the trusted IP range as a minimum for 

the earliest authentication timestamp; and 
20 establishing earliest date/timestamp for the trusted IP range as a maximum 

for the earliest authentication timestamp. 

82. The method of Claim 79, wherein the step of extending trust to the 
subsequent request further comprises: 
25 if the timestamps pass configurable bounds checks, extending trust to the 

request. 
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83. The method of Claim 75, wherein the entity comprises a user requesting the 
network service from an anonymous client. 

5 84. The method of Claim 83, wherein the network service comprises a server. 

85. The method of Claim 84, wherein the client and the server are in 
communication via a secured network channel. 

10 86. The method of Claim 85, said secure channel comprising a network 
connection secured via the SSL (secure sockets layer) protocol 

87. The method of Claim 75, further comprising the steps of: 
processing requests from trusted entities according to a first policy; and 

15 processing remaining requests according to at least a second policy. 

88. The method of Claim 87, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 
response latency when processing untrusted logins. 

20 

89. The method of Claim 88, wherein untrusted logins include successful and 
unsuccessful logins from untrusted entities. 

90. The method of Claim 89, wherein response latency is added to a configurable 
25 percentage of successful untrusted logins. 
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91. The method of Claim 87, wherein processing remaining requests according to 
at least a second policy comprises adding a configurable amount of incremental 
response latency when processing requests from IP addresses that have exceeded 
a configurable login rate. 

5 

92. The method of Claim 87, wherein processing remaining requests according to 
at least a second policy comprises requiring an untrusted entity to complete a Turing 
test. 

10 93. The method of Claim 87, wherein said policies are applied by a server. 

94. The method of Claim 91, wherein said server applies rate policies for a 
plurality of network devices. 

15 



20 
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